[Mailman-Users] GDPR

[Stephen J. Turnbull]

Ángel writes:

 > First of all, and I think it hasn't been mentioned yet is the Right
 > to access, ie. of letting people know which data you have about
 > them.
 > 
 > I would consider that listing all post by email address X would
 > fulfill it, plus a search feature (*) in case they want to search
 > by other terms, like looking for posts with their name in it.

Many posts will include their names in CCs, especially on lists that
munge Reply-To.  Some of these may be hidden (eg, Reply-To is normally
not displayed; I don't know offhand if it's in the mbox files).

However, I think that what that clause means is not "all data items
that mention you," but rather "what personally identifying information
(PII) is stored," ie, name, email, postal address (.sig!), phone
number (.sig!), blog and other website URLs, etc.  The right to be
forgotten would imply at least redacting *all* instances of such PII.

 > (*) It is my understanding that just providing the mbox and
 > expecting them to grep through it just as the sysadmin would have
 > to do would be sufficient (OTOH if you had an advanced system for
 > completely tracking a guy, and provide him just a crude interface
 > that's probably not ok).

If the archives are private, this is seriously problematic if it
provides access to nonsubscribers who "are afraid" they were
mentioned.  Do you really want a stalker trawling through your private
lists just because somebody "might" have called him out by name?

 > Having to find out "anything and everything" where the user was
 > mentioned may imho require what the GDPR calls "a disproportionate
 > effort", and could even result into some liability for not finding some
 > instance.

What "disproportionate" means will have to be decided by courts or
further legislation (I'm not familiar with how this works in the EU).
I suspect that a sed script redacting name, nickname, email addresses,
SNS aliases, phone, postal address, and geographical address (perhaps
even as minimal as city) will be the bare minimum expected for mailing
list archives to the extent that they are covered by GDPR.

 > As such, wrt redacting archives my view is that they should provide
 > all the urls to the content they want removed (which they should
 > have been able to easily found per above).

This could easily be thousands of posts in a long-running mailing
list.  Really, you'd want it done in bulk, using sed on an mbox or SQL
on a database, rather than URL by URL in the HTML.

 > If I detected that there was a follow-up top-posting email containing
 > the original content I would probably also truncate it, but strictly as
 > a courtesy matter and with no guarantees that I would do that.

Consider the example provided later in the thread of a private email
forwarded to the list by a subscriber.  Through no action of their
own, the private mail's author's PII was distributed over dozens (and
in really extreme cases it could be 100s) of posts in a long thread.
Anyway, as pointed out above, I'm pretty sure GDPR envisions *all*
instances of PII being redacted.

 > If they failed to find themselves, why would I need to dig through
 > the archives, not even knowing what I am looking for?

Because if it turns out later that that PII was found in your
archives, you will definitely be considered guilty of negligence or
worse.  You really cannot expect either users who want their PII
redacted or courts to be at all sympathetic to the mailing list
managers on this point.

 > There are too many ways to refer to someone, the email address,
 > different names and abbreviations (and misspellings!), which would
 > not even be unique, plus all kind of references (just suppose that
 > the people to which Julian referred claimed that his email contains
 > PII about them!).

The proverb, "the law is an ass", applies.  But that doesn't mean
people of ill-will can't abuse it, and people in a panic (eg, stalking
victims) may not care about your problems when they are literally at
risk of being murdered if found out.

This applies to several of your other comments implying that you can't
believe that the law means what it says, so I'm eliding them.

 > I would expect reasonable requests not to be a problem, though
 > (eg. just removing an address from a mail signature).

GDPR is not reasonable for mailing list operators who maintain
archives, period.  The problem is not the intent of lawmakers, who
mostly are horrified by the abuses that hackers have made of private
information leaked from various databases, and want to address those
problems as well as stalkers of various types.  The problem is that
people who would use such querying and redaction facilities are
likely to be in an "unreasonable" state of mind, as described above.

Unless we somehow have a blanket exemption, or "click-wrap" "I waive
my GDPR rights with respect to posts to this list" Subscriber
Agreements are deemed valid, I half-expect GDPR will kill volunteer-
maintained mailing lists in Europe, and likely get Europeans banned
from lists elsewhere.

I don't agree with the scams currently being promoted that ban
subscriptions or even commercial transactions simply because the IP
address is allocated to Europe.  I hope that you're right, that the
"unbelievable" implications of GDPR actually aren't implied by the law
as it will be enforced.  I'm certainly going to wait for enforcement
policy to become clear, and will do my best to comply in the unlikely
event I have to deal with such requests under GDPR (my own mailing
lists are full of Asian students in Japan).  But I still see no good
reason to be confident that mailing lists are at zero risk just by
taking a few simple precautions to comply with GDPR.

 > The user could be browsing a mailing list archive (as noted above)
 > that provides a link to "report content to remove" (automatically
 > verifying the reporter provided email address),

What does "verify" mean here?  The problematic address may have been
deleted or pwned, and not available to the person wanting redaction.

Steve